Firewalls protect against network based attacks. Firewalls detect attacks using attack signatures. Each attack signature is a rule or policy for detecting one or more attacks. An attack signature defines any of the parameters, structure, or format for one or more attacks. When inbound messaging is directed to a recipient behind the firewall, the firewall examines the messaging to determine if any patterns therein match any of the enabled attack signatures. When a match is found, the messaging is determined to harbor an attack. The firewall ordinarily would block such a message and prevent the message from reaching the intended recipient behind the firewall.
Firewall administrators have the ability to turn on and off different signatures to customize the protections provided by the firewall. Firewall administrators can simply turn on all attack signatures. This over inclusive approach may be effective so long as the signatures are updated to account for emerging threats. This over inclusive approach does however come at the expense of firewall performance. Each additional attack signature the firewall uses to inspect messaging consumes one or more processing cycles of the firewall, thereby introducing some temporal delay. A firewall under heavy load can quickly become overwhelmed when too many signatures are enabled and each inbound message is screened using a large number of signatures. The over inclusive approach also ignores the reality that certain threats are defused with internal system and software updates or with software reconfiguration. In other words, the firewall can waste processing resources and introduce unnecessary delay when attempting to detect and block threats that have been neutralized or resolved as a result of closing the security holes that the threats attempt to exploit.
To avoid the wasted processing cycles and the performance penalty resulting therefrom, firewall administrators can be selective in which attack signatures they enable. As different networks and service providers rely on different systems, software, and software configurations, each with their own vulnerabilities, administrators customize the firewall protections according to the vulnerabilities and attacks that the internally used systems and software are susceptible to.
However, administrators may be unaware of certain vulnerabilities or be unaware of what certain signatures protect against. Any firewall misconfiguration or signature omission can have severe ramifications if an attack successfully penetrates the firewall. Accordingly, one of the biggest issues is the human component and the manual manner with which firewall protections are configured.
There is therefore a need to automate firewall protections. To this end, there is a need to intelligently and automatically identify the vulnerabilities inherent within network systems, software, and software configurations, and to automatically customize the firewall protections in response. The end result would not only provide security, but security without performance penalties associated with protection against obsolete or neutralized attacks.